Simon Glass | bf7fd50 | 2016-11-25 20:15:51 -0700 | [diff] [blame^] | 1 | # Copyright (c) 2016 Google, Inc |
| 2 | # |
| 3 | # SPDX-License-Identifier: GPL-2.0+ |
| 4 | # |
| 5 | |
| 6 | Introduction |
| 7 | ------------ |
| 8 | |
| 9 | Firmware often consists of several components which must be packaged together. |
| 10 | For example, we may have SPL, U-Boot, a device tree and an environment area |
| 11 | grouped together and placed in MMC flash. When the system starts, it must be |
| 12 | able to find these pieces. |
| 13 | |
| 14 | So far U-Boot has not provided a way to handle creating such images in a |
| 15 | general way. Each SoC does what it needs to build an image, often packing or |
| 16 | concatenating images in the U-Boot build system. |
| 17 | |
| 18 | Binman aims to provide a mechanism for building images, from simple |
| 19 | SPL + U-Boot combinations, to more complex arrangements with many parts. |
| 20 | |
| 21 | |
| 22 | What it does |
| 23 | ------------ |
| 24 | |
| 25 | Binman reads your board's device tree and finds a node which describes the |
| 26 | required image layout. It uses this to work out what to place where. The |
| 27 | output file normally contains the device tree, so it is in principle possible |
| 28 | to read an image and extract its constituent parts. |
| 29 | |
| 30 | |
| 31 | Features |
| 32 | -------- |
| 33 | |
| 34 | So far binman is pretty simple. It supports binary blobs, such as 'u-boot', |
| 35 | 'spl' and 'fdt'. It supports empty entries (such as setting to 0xff). It can |
| 36 | place entries at a fixed location in the image, or fit them together with |
| 37 | suitable padding and alignment. It provides a way to process binaries before |
| 38 | they are included, by adding a Python plug-in. The device tree is available |
| 39 | to U-Boot at run-time so that the images can be interpreted. |
| 40 | |
| 41 | Binman does not yet update the device tree with the final location of |
| 42 | everything when it is done. A simple C structure could be generated for |
| 43 | constrained environments like SPL (using dtoc) but this is also not |
| 44 | implemented. |
| 45 | |
| 46 | Binman can also support incorporating filesystems in the image if required. |
| 47 | For example x86 platforms may use CBFS in some cases. |
| 48 | |
| 49 | Binman is intended for use with U-Boot but is designed to be general enough |
| 50 | to be useful in other image-packaging situations. |
| 51 | |
| 52 | |
| 53 | Motivation |
| 54 | ---------- |
| 55 | |
| 56 | Packaging of firmware is quite a different task from building the various |
| 57 | parts. In many cases the various binaries which go into the image come from |
| 58 | separate build systems. For example, ARM Trusted Firmware is used on ARMv8 |
| 59 | devices but is not built in the U-Boot tree. If a Linux kernel is included |
| 60 | in the firmware image, it is built elsewhere. |
| 61 | |
| 62 | It is of course possible to add more and more build rules to the U-Boot |
| 63 | build system to cover these cases. It can shell out to other Makefiles and |
| 64 | build scripts. But it seems better to create a clear divide between building |
| 65 | software and packaging it. |
| 66 | |
| 67 | At present this is handled by manual instructions, different for each board, |
| 68 | on how to create images that will boot. By turning these instructions into a |
| 69 | standard format, we can support making valid images for any board without |
| 70 | manual effort, lots of READMEs, etc. |
| 71 | |
| 72 | Benefits: |
| 73 | - Each binary can have its own build system and tool chain without creating |
| 74 | any dependencies between them |
| 75 | - Avoids the need for a single-shot build: individual parts can be updated |
| 76 | and brought in as needed |
| 77 | - Provides for a standard image description available in the build and at |
| 78 | run-time |
| 79 | - SoC-specific image-signing tools can be accomodated |
| 80 | - Avoids cluttering the U-Boot build system with image-building code |
| 81 | - The image description is automatically available at run-time in U-Boot, |
| 82 | SPL. It can be made available to other software also |
| 83 | - The image description is easily readable (it's a text file in device-tree |
| 84 | format) and permits flexible packing of binaries |
| 85 | |
| 86 | |
| 87 | Terminology |
| 88 | ----------- |
| 89 | |
| 90 | Binman uses the following terms: |
| 91 | |
| 92 | - image - an output file containing a firmware image |
| 93 | - binary - an input binary that goes into the image |
| 94 | |
| 95 | |
| 96 | Relationship to FIT |
| 97 | ------------------- |
| 98 | |
| 99 | FIT is U-Boot's official image format. It supports multiple binaries with |
| 100 | load / execution addresses, compression. It also supports verification |
| 101 | through hashing and RSA signatures. |
| 102 | |
| 103 | FIT was originally designed to support booting a Linux kernel (with an |
| 104 | optional ramdisk) and device tree chosen from various options in the FIT. |
| 105 | Now that U-Boot supports configuration via device tree, it is possible to |
| 106 | load U-Boot from a FIT, with the device tree chosen by SPL. |
| 107 | |
| 108 | Binman considers FIT to be one of the binaries it can place in the image. |
| 109 | |
| 110 | Where possible it is best to put as much as possible in the FIT, with binman |
| 111 | used to deal with cases not covered by FIT. Examples include initial |
| 112 | execution (since FIT itself does not have an executable header) and dealing |
| 113 | with device boundaries, such as the read-only/read-write separation in SPI |
| 114 | flash. |
| 115 | |
| 116 | For U-Boot, binman should not be used to create ad-hoc images in place of |
| 117 | FIT. |
| 118 | |
| 119 | |
| 120 | Relationship to mkimage |
| 121 | ----------------------- |
| 122 | |
| 123 | The mkimage tool provides a means to create a FIT. Traditionally it has |
| 124 | needed an image description file: a device tree, like binman, but in a |
| 125 | different format. More recently it has started to support a '-f auto' mode |
| 126 | which can generate that automatically. |
| 127 | |
| 128 | More relevant to binman, mkimage also permits creation of many SoC-specific |
| 129 | image types. These can be listed by running 'mkimage -T list'. Examples |
| 130 | include 'rksd', the Rockchip SD/MMC boot format. The mkimage tool is often |
| 131 | called from the U-Boot build system for this reason. |
| 132 | |
| 133 | Binman considers the output files created by mkimage to be binary blobs |
| 134 | which it can place in an image. Binman does not replace the mkimage tool or |
| 135 | this purpose. It would be possible in some situtions to create a new entry |
| 136 | type for the images in mkimage, but this would not add functionality. It |
| 137 | seems better to use the mkiamge tool to generate binaries and avoid blurring |
| 138 | the boundaries between building input files (mkimage) and packaging then |
| 139 | into a final image (binman). |
| 140 | |
| 141 | |
| 142 | Example use of binman in U-Boot |
| 143 | ------------------------------- |
| 144 | |
| 145 | Binman aims to replace some of the ad-hoc image creation in the U-Boot |
| 146 | build system. |
| 147 | |
| 148 | Consider sunxi. It has the following steps: |
| 149 | |
| 150 | 1. It uses a custom mksunxiboot tool to build an SPL image called |
| 151 | sunxi-spl.bin. This should probably move into mkimage. |
| 152 | |
| 153 | 2. It uses mkimage to package U-Boot into a legacy image file (so that it can |
| 154 | hold the load and execution address) called u-boot.img. |
| 155 | |
| 156 | 3. It builds a final output image called u-boot-sunxi-with-spl.bin which |
| 157 | consists of sunxi-spl.bin, some padding and u-boot.img. |
| 158 | |
| 159 | Binman is intended to replace the last step. The U-Boot build system builds |
| 160 | u-boot.bin and sunxi-spl.bin. Binman can then take over creation of |
| 161 | sunxi-spl.bin (by calling mksunxiboot, or hopefully one day mkimage). In any |
| 162 | case, it would then create the image from the component parts. |
| 163 | |
| 164 | This simplifies the U-Boot Makefile somewhat, since various pieces of logic |
| 165 | can be replaced by a call to binman. |
| 166 | |
| 167 | |
| 168 | Example use of binman for x86 |
| 169 | ----------------------------- |
| 170 | |
| 171 | In most cases x86 images have a lot of binary blobs, 'black-box' code |
| 172 | provided by Intel which must be run for the platform to work. Typically |
| 173 | these blobs are not relocatable and must be placed at fixed areas in the |
| 174 | firmare image. |
| 175 | |
| 176 | Currently this is handled by ifdtool, which places microcode, FSP, MRC, VGA |
| 177 | BIOS, reference code and Intel ME binaries into a u-boot.rom file. |
| 178 | |
| 179 | Binman is intended to replace all of this, with ifdtool left to handle only |
| 180 | the configuration of the Intel-format descriptor. |
| 181 | |
| 182 | |
| 183 | Running binman |
| 184 | -------------- |
| 185 | |
| 186 | Type: |
| 187 | |
| 188 | binman -b <board_name> |
| 189 | |
| 190 | to build an image for a board. The board name is the same name used when |
| 191 | configuring U-Boot (e.g. for sandbox_defconfig the board name is 'sandbox'). |
| 192 | Binman assumes that the input files for the build are in ../b/<board_name>. |
| 193 | |
| 194 | Or you can specify this explicitly: |
| 195 | |
| 196 | binman -I <build_path> |
| 197 | |
| 198 | where <build_path> is the build directory containing the output of the U-Boot |
| 199 | build. |
| 200 | |
| 201 | (Future work will make this more configurable) |
| 202 | |
| 203 | In either case, binman picks up the device tree file (u-boot.dtb) and looks |
| 204 | for its instructions in the 'binman' node. |
| 205 | |
| 206 | Binman has a few other options which you can see by running 'binman -h'. |
| 207 | |
| 208 | |
| 209 | Image description format |
| 210 | ------------------------ |
| 211 | |
| 212 | The binman node is called 'binman'. An example image description is shown |
| 213 | below: |
| 214 | |
| 215 | binman { |
| 216 | filename = "u-boot-sunxi-with-spl.bin"; |
| 217 | pad-byte = <0xff>; |
| 218 | blob { |
| 219 | filename = "spl/sunxi-spl.bin"; |
| 220 | }; |
| 221 | u-boot { |
| 222 | pos = <CONFIG_SPL_PAD_TO>; |
| 223 | }; |
| 224 | }; |
| 225 | |
| 226 | |
| 227 | This requests binman to create an image file called u-boot-sunxi-with-spl.bin |
| 228 | consisting of a specially formatted SPL (spl/sunxi-spl.bin, built by the |
| 229 | normal U-Boot Makefile), some 0xff padding, and a U-Boot legacy image. The |
| 230 | padding comes from the fact that the second binary is placed at |
| 231 | CONFIG_SPL_PAD_TO. If that line were omitted then the U-Boot binary would |
| 232 | immediately follow the SPL binary. |
| 233 | |
| 234 | The binman node describes an image. The sub-nodes describe entries in the |
| 235 | image. Each entry represents a region within the overall image. The name of |
| 236 | the entry (blob, u-boot) tells binman what to put there. For 'blob' we must |
| 237 | provide a filename. For 'u-boot', binman knows that this means 'u-boot.bin'. |
| 238 | |
| 239 | Entries are normally placed into the image sequentially, one after the other. |
| 240 | The image size is the total size of all entries. As you can see, you can |
| 241 | specify the start position of an entry using the 'pos' property. |
| 242 | |
| 243 | Note that due to a device tree requirement, all entries must have a unique |
| 244 | name. If you want to put the same binary in the image multiple times, you can |
| 245 | use any unique name, with the 'type' property providing the type. |
| 246 | |
| 247 | The attributes supported for entries are described below. |
| 248 | |
| 249 | pos: |
| 250 | This sets the position of an entry within the image. The first byte |
| 251 | of the image is normally at position 0. If 'pos' is not provided, |
| 252 | binman sets it to the end of the previous region, or the start of |
| 253 | the image's entry area (normally 0) if there is no previous region. |
| 254 | |
| 255 | align: |
| 256 | This sets the alignment of the entry. The entry position is adjusted |
| 257 | so that the entry starts on an aligned boundary within the image. For |
| 258 | example 'align = <16>' means that the entry will start on a 16-byte |
| 259 | boundary. Alignment shold be a power of 2. If 'align' is not |
| 260 | provided, no alignment is performed. |
| 261 | |
| 262 | size: |
| 263 | This sets the size of the entry. The contents will be padded out to |
| 264 | this size. If this is not provided, it will be set to the size of the |
| 265 | contents. |
| 266 | |
| 267 | pad-before: |
| 268 | Padding before the contents of the entry. Normally this is 0, meaning |
| 269 | that the contents start at the beginning of the entry. This can be |
| 270 | offset the entry contents a little. Defaults to 0. |
| 271 | |
| 272 | pad-after: |
| 273 | Padding after the contents of the entry. Normally this is 0, meaning |
| 274 | that the entry ends at the last byte of content (unless adjusted by |
| 275 | other properties). This allows room to be created in the image for |
| 276 | this entry to expand later. Defaults to 0. |
| 277 | |
| 278 | align-size: |
| 279 | This sets the alignment of the entry size. For example, to ensure |
| 280 | that the size of an entry is a multiple of 64 bytes, set this to 64. |
| 281 | If 'align-size' is not provided, no alignment is performed. |
| 282 | |
| 283 | align-end: |
| 284 | This sets the alignment of the end of an entry. Some entries require |
| 285 | that they end on an alignment boundary, regardless of where they |
| 286 | start. If 'align-end' is not provided, no alignment is performed. |
| 287 | |
| 288 | Note: This is not yet implemented in binman. |
| 289 | |
| 290 | filename: |
| 291 | For 'blob' types this provides the filename containing the binary to |
| 292 | put into the entry. If binman knows about the entry type (like |
| 293 | u-boot-bin), then there is no need to specify this. |
| 294 | |
| 295 | type: |
| 296 | Sets the type of an entry. This defaults to the entry name, but it is |
| 297 | possible to use any name, and then add (for example) 'type = "u-boot"' |
| 298 | to specify the type. |
| 299 | |
| 300 | |
| 301 | The attributes supported for images are described below. Several are similar |
| 302 | to those for entries. |
| 303 | |
| 304 | size: |
| 305 | Sets the image size in bytes, for example 'size = <0x100000>' for a |
| 306 | 1MB image. |
| 307 | |
| 308 | align-size: |
| 309 | This sets the alignment of the image size. For example, to ensure |
| 310 | that the image ends on a 512-byte boundary, use 'align-size = <512>'. |
| 311 | If 'align-size' is not provided, no alignment is performed. |
| 312 | |
| 313 | pad-before: |
| 314 | This sets the padding before the image entries. The first entry will |
| 315 | be positionad after the padding. This defaults to 0. |
| 316 | |
| 317 | pad-after: |
| 318 | This sets the padding after the image entries. The padding will be |
| 319 | placed after the last entry. This defaults to 0. |
| 320 | |
| 321 | pad-byte: |
| 322 | This specifies the pad byte to use when padding in the image. It |
| 323 | defaults to 0. To use 0xff, you would add 'pad-byte = <0xff>'. |
| 324 | |
| 325 | filename: |
| 326 | This specifies the image filename. It defaults to 'image.bin'. |
| 327 | |
| 328 | sort-by-pos: |
| 329 | This causes binman to reorder the entries as needed to make sure they |
| 330 | are in increasing positional order. This can be used when your entry |
| 331 | order may not match the positional order. A common situation is where |
| 332 | the 'pos' properties are set by CONFIG options, so their ordering is |
| 333 | not known a priori. |
| 334 | |
| 335 | This is a boolean property so needs no value. To enable it, add a |
| 336 | line 'sort-by-pos;' to your description. |
| 337 | |
| 338 | multiple-images: |
| 339 | Normally only a single image is generated. To create more than one |
| 340 | image, put this property in the binman node. For example, this will |
| 341 | create image1.bin containing u-boot.bin, and image2.bin containing |
| 342 | both spl/u-boot-spl.bin and u-boot.bin: |
| 343 | |
| 344 | binman { |
| 345 | multiple-images; |
| 346 | image1 { |
| 347 | u-boot { |
| 348 | }; |
| 349 | }; |
| 350 | |
| 351 | image2 { |
| 352 | spl { |
| 353 | }; |
| 354 | u-boot { |
| 355 | }; |
| 356 | }; |
| 357 | }; |
| 358 | |
| 359 | end-at-4gb: |
| 360 | For x86 machines the ROM positions start just before 4GB and extend |
| 361 | up so that the image finished at the 4GB boundary. This boolean |
| 362 | option can be enabled to support this. The image size must be |
| 363 | provided so that binman knows when the image should start. For an |
| 364 | 8MB ROM, the position of the first entry would be 0xfff80000 with |
| 365 | this option, instead of 0 without this option. |
| 366 | |
| 367 | |
| 368 | Examples of the above options can be found in the tests. See the |
| 369 | tools/binman/test directory. |
| 370 | |
| 371 | |
| 372 | Order of image creation |
| 373 | ----------------------- |
| 374 | |
| 375 | Image creation proceeds in the following order, for each entry in the image. |
| 376 | |
| 377 | 1. GetEntryContents() - the contents of each entry are obtained, normally by |
| 378 | reading from a file. This calls the Entry.ObtainContents() to read the |
| 379 | contents. The default version of Entry.ObtainContents() calls |
| 380 | Entry.GetDefaultFilename() and then reads that file. So a common mechanism |
| 381 | to select a file to read is to override that function in the subclass. The |
| 382 | functions must return True when they have read the contents. Binman will |
| 383 | retry calling the functions a few times if False is returned, allowing |
| 384 | dependencies between the contents of different entries. |
| 385 | |
| 386 | 2. GetEntryPositions() - calls Entry.GetPositions() for each entry. This can |
| 387 | return a dict containing entries that need updating. The key should be the |
| 388 | entry name and the value is a tuple (pos, size). This allows an entry to |
| 389 | provide the position and size for other entries. The default implementation |
| 390 | of GetEntryPositions() returns {}. |
| 391 | |
| 392 | 3. PackEntries() - calls Entry.Pack() which figures out the position and |
| 393 | size of an entry. The 'current' image position is passed in, and the function |
| 394 | returns the position immediately after the entry being packed. The default |
| 395 | implementation of Pack() is usually sufficient. |
| 396 | |
| 397 | 4. CheckSize() - checks that the contents of all the entries fits within |
| 398 | the image size. If the image does not have a defined size, the size is set |
| 399 | large enough to hold all the entries. |
| 400 | |
| 401 | 5. CheckEntries() - checks that the entries do not overlap, nor extend |
| 402 | outside the image. |
| 403 | |
| 404 | 6. ProcessEntryContents() - this calls Entry.ProcessContents() on each entry. |
| 405 | The default implementatoin does nothing. This can be overriden to adjust the |
| 406 | contents of an entry in some way. For example, it would be possible to create |
| 407 | an entry containing a hash of the contents of some other entries. At this |
| 408 | stage the position and size of entries should not be adjusted. |
| 409 | |
| 410 | 7. BuildImage() - builds the image and writes it to a file. This is the final |
| 411 | step. |
| 412 | |
| 413 | |
| 414 | Advanced Features / Technical docs |
| 415 | ---------------------------------- |
| 416 | |
| 417 | The behaviour of entries is defined by the Entry class. All other entries are |
| 418 | a subclass of this. An important subclass is Entry_blob which takes binary |
| 419 | data from a file and places it in the entry. In fact most entry types are |
| 420 | subclasses of Entry_blob. |
| 421 | |
| 422 | Each entry type is a separate file in the tools/binman/etype directory. Each |
| 423 | file contains a class called Entry_<type> where <type> is the entry type. |
| 424 | New entry types can be supported by adding new files in that directory. |
| 425 | These will automatically be detected by binman when needed. |
| 426 | |
| 427 | Entry properties are documented in entry.py. The entry subclasses are free |
| 428 | to change the values of properties to support special behaviour. For example, |
| 429 | when Entry_blob loads a file, it sets content_size to the size of the file. |
| 430 | Entry classes can adjust other entries. For example, an entry that knows |
| 431 | where other entries should be positioned can set up those entries' positions |
| 432 | so they don't need to be set in the binman decription. It can also adjust |
| 433 | entry contents. |
| 434 | |
| 435 | Most of the time such essoteric behaviour is not needed, but it can be |
| 436 | essential for complex images. |
| 437 | |
| 438 | |
| 439 | History / Credits |
| 440 | ----------------- |
| 441 | |
| 442 | Binman takes a lot of inspiration from a Chrome OS tool called |
| 443 | 'cros_bundle_firmware', which I wrote some years ago. That tool was based on |
| 444 | a reasonably simple and sound design but has expanded greatly over the |
| 445 | years. In particular its handling of x86 images is convoluted. |
| 446 | |
| 447 | Quite a few lessons have been learned which are hopefully be applied here. |
| 448 | |
| 449 | |
| 450 | Design notes |
| 451 | ------------ |
| 452 | |
| 453 | On the face of it, a tool to create firmware images should be fairly simple: |
| 454 | just find all the input binaries and place them at the right place in the |
| 455 | image. The difficulty comes from the wide variety of input types (simple |
| 456 | flat binaries containing code, packaged data with various headers), packing |
| 457 | requirments (alignment, spacing, device boundaries) and other required |
| 458 | features such as hierarchical images. |
| 459 | |
| 460 | The design challenge is to make it easy to create simple images, while |
| 461 | allowing the more complex cases to be supported. For example, for most |
| 462 | images we don't much care exactly where each binary ends up, so we should |
| 463 | not have to specify that unnecessarily. |
| 464 | |
| 465 | New entry types should aim to provide simple usage where possible. If new |
| 466 | core features are needed, they can be added in the Entry base class. |
| 467 | |
| 468 | |
| 469 | To do |
| 470 | ----- |
| 471 | |
| 472 | Some ideas: |
| 473 | - Fill out the device tree to include the final position and size of each |
| 474 | entry (since the input file may not always specify these) |
| 475 | - Use of-platdata to make the information available to code that is unable |
| 476 | to use device tree (such as a very small SPL image) |
| 477 | - Write an image map to a text file |
| 478 | - Allow easy building of images by specifying just the board name |
| 479 | - Produce a full Python binding for libfdt (for upstream) |
| 480 | - Add an option to decode an image into the constituent binaries |
| 481 | - Suppoort hierarchical images (packing of binaries into another binary |
| 482 | which is then placed in the image) |
| 483 | - Support building an image for a board (-b) more completely, with a |
| 484 | configurable build directory |
| 485 | - Consider making binman work with buildman, although if it is used in the |
| 486 | Makefile, this will be automatic |
| 487 | - Implement align-end |
| 488 | |
| 489 | -- |
| 490 | Simon Glass <sjg@chromium.org> |
| 491 | 7/7/2016 |